{"id":29733,"date":"2024-11-25T12:07:33","date_gmt":"2024-11-25T04:07:33","guid":{"rendered":"https:\/\/fwq.ai\/blog\/29733\/"},"modified":"2024-11-25T12:07:33","modified_gmt":"2024-11-25T04:07:33","slug":"phpcms%e5%90%84%e7%a7%8d%e6%b3%a8%e5%85%a5%e6%bc%8f%e6%b4%9e%e8%a1%a5%e4%b8%81","status":"publish","type":"post","link":"https:\/\/fwq.ai\/blog\/29733\/","title":{"rendered":"PHPCMS\u5404\u79cd\u6ce8\u5165\u6f0f\u6d1e\u8865\u4e01"},"content":{"rendered":"

\"PHPCMS\u5404\u79cd\u6ce8\u5165\u6f0f\u6d1e\u8865\u4e01\u63d2\u56fe\"<\/strong><\/p>\n

1\u3001\u5bbd\u5b57\u8282\u6ce8\u5165\u6f0f\u6d1e<\/strong><\/p>\n

\/\/modules\/pay\/respond.php \u4f4d\u7f6e\u7ea616\u884c<\/p>\n

\u539f\u6765\u4ee3\u7801<\/p>\n

$payment = $this-&gt;get_by_code($_GET['code']);<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u66ff\u6362\u4e3a<\/p>\n
\u7acb\u5373\u5b66\u4e60<\/span>\u201c\u201d\uff1b<\/p>\n
$payment = $this-&gt;get_by_code(mysql_real_escape_string($_GET['code']));<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
2\u3001phpcms\u6ce8\u5165\u6f0f\u6d1e<\/strong><\/p>\n
\/phpcms\/modules\/poster\/poster.php \u4f4d\u7f6e\u7ea6221\u884c<\/p>\n
if ($_GET['group']) {<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u4e4b\u540e\u52a0\u4e0a<\/p>\n
$_GET['group'] = preg_replace('#`#', '', $_GET['group']);<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
3\u3001phpcms\u524d\u53f0\u6ce8\u5165\u5bfc\u81f4\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\u8865\u4e01<\/strong><\/p>\n
\/phpcms\/modules\/content\/down.php<\/p>\n
\uff081\uff09\u4f4d\u7f6e\u7ea617\u884c<\/p>\n
parse_str($a_k);<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u66ff\u6362\u4e3a<\/p>\n
\u7acb\u5373\u5b66\u4e60<\/span>\u201c\u201d\uff1b<\/p>\n
$a_k = safe_replace($a_k); parse_str($a_k);<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\uff082\uff09\u4f4d\u7f6e\u7ea689\u884c<\/p>\n
parse_str($a_k);<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u66ff\u6362\u4e3a<\/p>\n
\u7acb\u5373\u5b66\u4e60<\/span>\u201c\u201d\uff1b<\/p>\n
$a_k = safe_replace($a_k); parse_str($a_k);<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\uff083\uff09\u4f4d\u7f6e\u7ea6120\u884c<\/p>\n
$filename = date('Ymd_his').random(3).'.'.$ext;<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u4e4b\u540e\u52a0\u4e0a<\/p>\n
$fileurl = str_replace(array(''), '',$fileurl);<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
4\u3001phpcms\u6ce8\u5165\u6f0f\u6d1e<\/strong><\/p>\n
\/phpcms\/modules\/member\/index.php \u4f4d\u7f6e\u7ea6615\u884c<\/p>\n
\u539f\u6765\u4ee3\u7801\uff1a<\/p>\n
$password = isset($_POST['password']) &amp;&amp; trim($_POST['password']) ? trim($_POST['password']) : \nshowmessage(L('password_empty'),HTTP_REFERER);<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u66ff\u6362\u4e3a\uff1a<\/p>\n
$password = isset($_POST['password']) &amp;&amp; trim($_POST['password']) ? addslashes(urldecode(trim($_POST['password']\n))) : showmessage(L('password_empty'), HTTP_REFERER);<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
5\u3001PHPCMS V9.6.2 SQL\u6ce8\u5165\u6f0f\u6d1e<\/strong><\/p>\n
\uff081\uff09phpcms\/libs\/classes\/param.class.php \u4f4d\u7f6e\u7ea6109\u884c<\/p>\n
\u539f\u6765\u4ee3\u7801<\/p>\n
$value = isset($_COOKIE[$var]) ? sys_auth($_COOKIE[$var], 'DECODE') : $default;<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u66ff\u6362\u4e3a<\/p>\n
\u7acb\u5373\u5b66\u4e60<\/span>\u201c\u201d\uff1b<\/p>\n
$value = isset($_COOKIE[$var])?addslashes(sys_auth($_COOKIE[$var],'DECODE')):$default;<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\uff082\uff09\/phpsso_server\/phpcms\/libs\/classes\/param.class.php \u4f4d\u7f6e\u7ea6108\u884c<\/p>\n
\u539f\u6765\u4ee3\u7801<\/p>\n
return isset($_COOKIE[$var]) ? sys_auth($_COOKIE[$var], 'DECODE') : $default;<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u66ff\u6362\u4e3a<\/p>\n
\u7acb\u5373\u5b66\u4e60<\/span>\u201c\u201d\uff1b<\/p>\n
return isset($_COOKIE[$var]) ? addslashes(sys_auth($_COOKIE[$var],'DECODE')) : $default;<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
6\u3001phpcms\u67d0\u5904\u903b\u8f91\u95ee\u9898\u5bfc\u81f4getshell<\/strong><\/p>\n
\/phpcms\/libs\/classes\/attachment.class.php \u4f4d\u7f6e\u7ea6143\u884c<\/p>\n
function download($field, $value,$watermark = '0',$ext = 'gif|jpg|jpeg|bmp|png', $absurl = '', $basehref = ''){<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u4e4b\u540e\u52a0\u4e0a<\/p>\n
   $extArray=explode('|',$ext); \n     if(!empty($extArray) &amp;&amp; is_array($extArray)){ \n         foreach($extArray as $k =&gt; $v){ \n           if(!in_array(strtolower($v), array('gif','jpg','jpeg','bmp','png'))); exit('0');\/\/\u5faa\u73af\u5224\u65ad\u5982\u679c\n           \u6709\u4e00\u4e2a\u4e0d\u7b26\u5408\uff0c\u76f4\u63a5\u8fd4\u56de 0 \n         } \n      }<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u8fd9\u6837\uff0c\u52a0\u5165\u4e00\u4e2a\u5224\u65ad\uff0c\u5982\u679c\u5141\u8bb8\u7684\u6587\u4ef6\u683c\u5f0f\u662f’gif’,’jpg’,’jpeg’,’bmp’,’png’\u8fd9\u4e9b\uff0c\u5c31\u7ee7\u7eed\uff0c\u4e0d\u7136\u5c31\u8df3\u51fa\uff0c\u5f53\u7136\u8fd9\u91cc\u7684\u683c\u5f0f\u53ef\u4ee5\u6839\u636e\u9700\u8981\u589e\u591a\u51e0\u4e2a\u3002<\/p>\n
7\u3001phpcms\u6ce8\u5165\u6f0f\u6d1e<\/strong><\/p>\n
\/api\/phpsso.php \u4f4d\u7f6e\u7ea6128\u884c<\/p>\n
\u539f\u6765\u4ee3\u7801<\/p>\n
$arr['uid'] = intval($arr['uid']);\n$phpssouid = $arr['uid'];<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
\u66ff\u6362\u4e3a\uff0c\u4e8c\u5408\u4e00\u4ee3\u7801<\/p>\n
$phpssouid = intval($arr['uid']);<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
8\u3001phpcms authkey\u751f\u6210\u7b97\u6cd5\u95ee\u9898\u5bfc\u81f4authkey\u6cc4\u9732<\/strong><\/p>\n
\u7167\u7740\u4e0b\u9762\u7684\u51fd\u6570\u91cd\u65b0\u751f\u6210\u4e00\u4e0bkey\u503c\uff0c\u7136\u540e\u627ecaches\/configs\/system.php \u91cc\u9762\u628a\u4e24\u4e2a\u53c2\u6570\u66ff\u6362\u4e00\u4e0b\u5c31ok\u4e86<\/p>\n
<?php  \n     function random($length, $chars = '0123456789') { \n       \n        $hash = ''; \n        $max = strlen($chars) - 1; \n        for($i = 0; $i < $length; $i++) { \n            $hash .= $chars[mt_rand(0, $max)]; \n        } \n        return $hash; \n    }\n    \n    echo random(20, 'authkey').'<br\/>';    \n    echo random(32, 'phpssoauthkey');exit; \n?&gt;<\/pre>\n
 \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
PHP\u4e2d\u6587\u7f51\uff0c\u5927\u91cf\u7684\u514d\u8d39\uff0c\u6b22\u8fce\u5728\u7ebf\u5b66\u4e60\uff01<\/p>\n
\u4ee5\u4e0a\u5c31\u662fPHPCMS\u5404\u79cd\u6ce8\u5165\u6f0f\u6d1e\u8865\u4e01\u7684\u8be6\u7ec6\u5185\u5bb9\uff0c\u66f4\u591a\u8bf7\u5173\u6ce8\u7c73\u4e91\u5176\u5b83\u76f8\u5173\u6587\u7ae0\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
1\u3001\u5bbd\u5b57\u8282\u6ce8\u5165\u6f0f\u6d1e \/\/modules\/pay\/respond.php \u4f4d\u7f6e\u7ea616\u884c \u539f\u6765\u4ee3\u7801 $payment = $this-&gt;get_by_code($_GET[‘code’]); \u767b\u5f55\u540e\u590d\u5236 \u66ff\u6362\u4e3a \u7acb\u5373\u5b66\u4e60\u201c\u201d\uff1b $payment = $this-&gt;get_by_code(mysql_real_escape_string($_GET[‘code’])); \u767b\u5f55\u540e\u590d\u5236 2\u3001phpcms\u6ce8\u5165\u6f0f\u6d1e \/phpcms\/modules\/poster\/poster.php \u4f4d\u7f6e\u7ea6221\u884c if ($_GET[‘group’]) { \u767b\u5f55\u540e\u590d\u5236 \u4e4b\u540e\u52a0\u4e0a $_GET[‘group’] = preg_replace(‘#`#’, ”, $_GET[‘group’]); \u767b\u5f55\u540e\u590d\u5236 3\u3001phpcms\u524d\u53f0\u6ce8\u5165\u5bfc\u81f4\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\u8865\u4e01 \/phpcms\/modules\/content\/down.php \uff081\uff09\u4f4d\u7f6e\u7ea617\u884c parse_str($a_k); \u767b\u5f55\u540e\u590d\u5236 \u767b\u5f55\u540e\u590d\u5236 \u66ff\u6362\u4e3a \u7acb\u5373\u5b66\u4e60\u201c\u201d\uff1b $a_k = safe_replace($a_k); parse_str($a_k); \u767b\u5f55\u540e\u590d\u5236 \u767b\u5f55\u540e\u590d\u5236 \uff082\uff09\u4f4d\u7f6e\u7ea689\u884c parse_str($a_k); \u767b\u5f55\u540e\u590d\u5236 \u767b\u5f55\u540e\u590d\u5236 \u66ff\u6362\u4e3a \u7acb\u5373\u5b66\u4e60\u201c\u201d\uff1b $a_k = safe_replace($a_k); parse_str($a_k); \u767b\u5f55\u540e\u590d\u5236 \u767b\u5f55\u540e\u590d\u5236 \uff083\uff09\u4f4d\u7f6e\u7ea6120\u884c $filename = date(‘Ymd_his’).random(3).’.’.$ext; \u767b\u5f55\u540e\u590d\u5236 \u4e4b\u540e\u52a0\u4e0a $fileurl = str_replace(array(”), ”,$fileurl); \u767b\u5f55\u540e\u590d\u5236 4\u3001phpcms\u6ce8\u5165\u6f0f\u6d1e \/phpcms\/modules\/member\/index.php \u4f4d\u7f6e\u7ea6615\u884c \u539f\u6765\u4ee3\u7801\uff1a $password = isset($_POST[‘password’]) &amp;&amp; trim($_POST[‘password’]) ? trim($_POST[‘password’]) :  showmessage(L(‘password_empty’),HTTP_REFERER); \u767b\u5f55\u540e\u590d\u5236 \u66ff\u6362\u4e3a\uff1a $password = isset($_POST[‘password’]) &amp;&amp; trim($_POST[‘password’]) ? addslashes(urldecode(trim($_POST[‘password’] ))) : showmessage(L(‘password_empty’), HTTP_REFERER); \u767b\u5f55\u540e\u590d\u5236 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18],"tags":[],"class_list":["post-29733","post","type-post","status-publish","format-standard","hentry","category-cms"],"_links":{"self":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/posts\/29733","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/comments?post=29733"}],"version-history":[{"count":0,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/posts\/29733\/revisions"}],"wp:attachment":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/media?parent=29733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/categories?post=29733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/tags?post=29733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}